The present invention generally relates to a software update in an embedded device.
An embedded system is a specialized computer system, including both hardware and software, which forms a part of a larger system or machine. Furthermore, the larger system or machine may have a plurality of embedded systems. Typically, each of the embedded systems is housed on a single microprocessor board with firmware stored as object code within a non-volatile memory device.
The larger system or machine that generally utilizes the embedded system may include a wide variety of systems, ranging from telephones, to mass storage devices, to digital satellite receivers, and the like. The embedded systems commonly utilize software, among which firmware that provides an operating system managing the low level functions of the embedded system.
Typically, an embedded system provides for a code update process to support new features or to fix problems in the firmware (i.e., firmware upgrade). In many cases, the firmware upgrade will take the larger system or machine out of service for some period of time during which the firmware upgrade is performed.
To provide a firmware updating feature, the embedded system usually includes Flash memory to store the firmware. The firmware usually comprises both a bootloader and a main firmware stored in a boot sector of the Flash memory. The bootloader is placed at the first memory address of the Flash memory and is executed at boot-up time. The bootloader is utilized as failsafe firmware in case the main firmware is corrupted. The bootloader is executed at boot up time, in turn testing the integrity of the main firmware (preferably by computing a checksum and comparing it with a stored result or predetermined value) before the main firmware is actually executed. The bootloader may further diagnose whether the main firmware is corrupt and enable an update of a corrupt main firmware. If the bootloader does not detect an integrity error, it either branches the microprocessor on the first address of the main firmware or performs its loading. If the bootloader detects an integrity error, it can use an I/O interface to receive a main firmware replacement code. Alternatively, a backup main firmware may be provided so that a failed integrity test results in the execution of the backup main firmware.
In practice, some systems already in use may require an improved security level, like access cards or smartphones. Indeed, a known attack for bypassing the security features of the main firmware consists in changing the address of the main firmware recited in the bootloader program. A fake main firmware can thereby be executed by the system. The bootloader can also be attacked in order to download a fake main firmware update and trigger its execution.
There is thus a need for a convenient software updating process, that can be carried out by users during the life cycle of the system. The updating process can thereby fix some security issues during the life cycle of the system.
In the specific case of a bootloader updating process, as a system deprived of a valid bootloader can become unrecoverable, the bootloader updating process must be particularly safe.